A routing and infrastructure intelligence toolkit for security operations teams.
BGP-Intel is designed to assist network defenders efficiently detect BGP route anomalies. It ingests live MRT dumps, enriches AS-paths with PeeringDB data, and outputs alerts with enrichment metadata in JSON.
- Enriched IP triage and risk profiling
- ASN integrity and upstream intelligence
- Live path visibility and route anomaly checks
- Enriched IP triage with risk profiling
- BGP origin mismatch checks for hijack or leak signals
- RPKI validation checks for prefix and origin pairs
- Batch report runner for IP lists
- Lightweight utilities for analyst workflows
core/core Python logiccore/archive/archived shell utilitiesscripts/routing checks and automation entrypointstests/unit testsconfig/example configuration filesdocs/future documentation
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txtPrimary script: core/ip_lookup.py
High-performance Go variant: tools/ip-lookup-go/
Use the Go variant for bulk triage and automation. It is designed for high-concurrency IP enrichment with strict timeouts and consistent output fields. It combines multiple RIPEstat data sources and applies practical detection heuristics in one pass.
Data sources:
- RIPEstat Prefix Overview: ASN and holder intelligence
- RIPEstat RIR Stats Country: country attribution
- RIPEstat Abuse Contact Finder: abuse contact intelligence
Intelligence flags:
- High-risk jurisdiction:
RU,CN,IR,KP,SY - Cloud or data-centre footprint:
AWS,Amazon,Azure,Hetzner,DigitalOcean,OVH,major cloud provider markers - Anonymiser indicators:
VPN,Proxy,Tor,Mullvad
Example usage:
python3 core/ip_lookup.py 8.8.8.8
python3 core/ip_lookup.py 8.8.8.8 --jsonExample text output:
===============================================================
🔍 IP INTEL REPORT: 193.38.113.3
===============================================================
📊 RISK PROFILE
---------------------------------------------------------------
[✅] JURISDICTION: GB (United Kingdom) - Low Risk
[🏠] TYPE : Residential / Consumer ISP
[🛡️] PRIVACY : No Proxy/VPN detected
🏢 NETWORK IDENTITY
---------------------------------------------------------------
HOLDER: NTL - Virgin Media Limited
ASN : 5089
RIR : RIPE NCC
📩 INCIDENT RESPONSE
---------------------------------------------------------------
ABUSE : abuse@virginmediao2.co.uk
===============================================================
Example JSON output:
{"ip":"8.8.8.8","asn":"15169","holder":"EXAMPLE - ExampleCloud Ltd","country":"US","country_name":"United States","rir":"ARIN","is_high_risk":false,"is_cloud":true,"is_anonymised":false,"abuse_email":"abuse@examplecloud.net"}Primary script: core/asn_integrity_audit.py
This script performs ASN-centric network integrity analysis using RIPEstat, with structured checks for entity context, upstream relationships, routing scope, and risk posture.
Key capabilities:
- Resolves ASN input directly, and accepts IP input with automatic ASN resolution.
- Validates announcement status and holder context.
- Counts announced prefixes to estimate network scope.
- Extracts top upstream transit neighbours from Left-side peer data.
- Flags high-risk jurisdictions and newly established ASNs.
Example usage:
python3 core/asn_integrity_audit.py AS15169
python3 core/asn_integrity_audit.py 8.8.8.8
python3 core/asn_integrity_audit.py AS15169 --jsonExample text output:
===============================================================
ASN NETWORK INTEGRITY AUDITOR: AS15169
===============================================================
Input Resource : 8.8.8.8 (resolved to AS15169)
🏢 ENTITY INFO
---------------------------------------------------------------
Holder : EXAMPLE - ExampleCloud Ltd
Registration Country: UNKNOWN
Announced Status : True
🌐 ROUTING & PEERING
---------------------------------------------------------------
Managed Prefixes: 1277
Top 3 Upstreams (Left Neighbours):
1. AS6453 | power=469 | v4=39513 | v6=1808
2. AS1299 | power=430 | v4=42492 | v6=6977
3. AS6939 | power=379 | v4=8988 | v6=14457
First Seen: 2000-08-18T08:00:00
Last Seen : 2024-09-23T16:00:00
📊 RISK AUDIT
---------------------------------------------------------------
Jurisdiction Risk: UNKNOWN
[OK] Longevity check: not newly established
===============================================================
Example JSON output:
{"input":"AS15169","resolved_from_ip":false,"asn":"AS15169","holder":"EXAMPLE - ExampleCloud Ltd","registration_country":"UNKNOWN","announced":true,"managed_prefix_count":1277,"upstreams_top3":[{"asn":"AS6453","power":469,"v4_peers":39513,"v6_peers":1808},{"asn":"AS1299","power":430,"v4_peers":42492,"v6_peers":6977},{"asn":"AS6939","power":379,"v4_peers":8988,"v6_peers":14457}],"first_seen":"2000-08-18T08:00:00","last_seen":"2024-09-23T16:00:00","is_high_risk":false,"is_newly_established":false}Primary script: core/asn_path_finder.py
This script performs high-fidelity routing path analysis using RIPEstat live BGP state and neighbour intelligence. It is intended for network security specialists who need immediate path visibility and upstream context.
Key capabilities:
- Resolves most specific prefix and origin ASN from target IP.
- Extracts live AS path from RIPEstat bgp-state data.
- Formats a clear source-to-destination visual path using
->arrows. - Identifies top 3 upstream providers from Left-side ASN neighbours by power.
- Flags paths containing high-risk jurisdiction indicators.
Example usage:
python3 core/asn_path_finder.py 8.8.8.8
python3 core/asn_path_finder.py 8.8.8.8 --jsonExample text output:
===============================================================
Routing Analysis Report: 8.8.8.8
===============================================================
Prefix: 8.8.8.0/24
Origin ASN: AS15169 (EXAMPLE - ExampleCloud Ltd)
Live AS-Path:
AS328840 -> AS327727 -> AS15169
Top 3 Upstreams (Left Neighbours):
1. AS6453 | power=469 | v4=39513 | v6=1808
2. AS1299 | power=430 | v4=42492 | v6=6977
3. AS6939 | power=379 | v4=8988 | v6=14457
[OK] No high-risk jurisdiction detected in path analysis
Note: Path is derived from RIPEstat bgp-state first entry and formatted source-to-destination.
===============================================================
Example JSON output:
{"ip":"8.8.8.8","prefix":"8.8.8.0/24","origin_asn":"AS15169","origin_holder":"EXAMPLE - ExampleCloud Ltd","as_path":["AS328840","AS327727","AS15169"],"visual_path":"AS328840 -> AS327727 -> AS15169","path_asn_details":[{"asn":"AS328840","holder":"ST-Digital-AS","country":"UNKNOWN"},{"asn":"AS327727","holder":"C-SQUARED","country":"UNKNOWN"},{"asn":"AS15169","holder":"EXAMPLE - ExampleCloud Ltd","country":"UNKNOWN"}],"top_upstreams":[{"asn":"AS6453","power":469,"v4_peers":39513,"v6_peers":1808},{"asn":"AS1299","power":430,"v4_peers":42492,"v6_peers":6977},{"asn":"AS6939","power":379,"v4_peers":8988,"v6_peers":14457}],"path_contains_high_risk_jurisdiction":false,"high_risk_path_entries":[],"note":"Path is derived from RIPEstat bgp-state first entry and formatted source-to-destination."}Primary script: core/ip_gen.py
This utility generates newline-delimited IPv4 samples for analyst pipelines. It supports normal mode for random global unicast addresses, and a malicious testing mode for controlled risk-flag validation.
Example usage:
python3 core/ip_gen.py --count 5
python3 core/ip_gen.py --count 5 --malicious
python3 core/ip_gen.py --count 5 --json
python3 core/ip_gen.py -mExample output, malicious command:
$ python3 core/ip_gen.py --count 5 --malicious
175.45.178.166
5.184.0.27
36.112.44.201
5.160.22.114
175.45.176.93
Primary script: core/sovereignty_audit.py
This policy-aware auditor evaluates whether traffic remains under European control, or detours through extra-EU jurisdictions. It combines RIPEstat routing state, ASN entity context, and RPKI validation in one verdict-focused report.
Key capabilities:
- Accepts IP, ASN, or URL input (
--url) and supports piped URL input fromun-shorten.sh. - Extracts live AS path from RIPEstat BGP state.
- Flags extra-EU path entries with
[🚩 EXTRA-EU DATA DETOUR]. - Flags high-risk jurisdictions in path with
[⚠️ PATH CONTAINS HIGH-RISK JURISDICTION]. - Performs mandatory RPKI validation and marks
invalidas potential foreign hijack risk. - Detects foreign infrastructure dependencies via holder keyword matches.
Example usage:
python3 core/sovereignty_audit.py 8.8.8.8
python3 core/sovereignty_audit.py AS15169
python3 core/sovereignty_audit.py --url https://bit.ly/example
./un-shorten.sh https://bit.ly/example | python3 core/sovereignty_audit.py
python3 core/sovereignty_audit.py 8.8.8.8 --jsonExample text output:
================================================================
Initialising Euro Sovereignty Audit: 8.8.8.8
================================================================
Target IP: 8.8.8.8
Prefix: 8.8.8.0/24
Origin ASN: AS15169 (EXAMPLE - ExampleCloud Ltd)
Analysing route path:
AS328840 -> AS327727 -> AS15169
Top 3 Upstreams (Left neighbours):
1. AS6453 | power=469 | v4=39513 | v6=1808
2. AS1299 | power=430 | v4=42492 | v6=6977
3. AS6939 | power=379 | v4=8988 | v6=14457
Routing Integrity (RPKI):
State: valid
[OK] Path remains within known EU/EEA jurisdictions
Authorised Sovereignty Verdict: Sovereign (EU-Only)
================================================================
python3 scripts/bgp_hijack_check.py --prefix 8.8.8.0/24 --expected-asn AS15169
# or baseline CSV with lines: prefix,asn
python3 scripts/bgp_hijack_check.py --baseline baseline.csv --jsonData source notes:
- Primary source: RIPEstat Announced Prefixes endpoint
- Fallback source: RIPEstat RIS Prefixes endpoint
- Requests use a custom user agent for stable API handling
Example baseline file:
baseline.csv.example
python3 scripts/rpki_check.py --prefix 8.8.8.0/24 --asn AS15169
python3 scripts/rpki_check.py --baseline baseline.csv --jsonpython3 scripts/run_report.py -f ip_addresses.txt
python3 scripts/run_report.py -f ip_addresses.txt --json| Script | Primary Use Case | Input | Output | JSON Flag |
|---|---|---|---|---|
core/ip_lookup.py |
Enriched IP triage with risk profile flags | Single IPv4/IPv6 | Structured text or flat JSON profile | Yes |
tools/ip-lookup-go/main.go |
High-concurrency IP enrichment with worker pool, PTR, RDAP + Cymru fallback, strict timeouts | Single IP or file list | Table or JSON with ASN/BGP prefix/country/abuse/RIR/source/latency | Yes |
core/asn_integrity_audit.py |
ASN network integrity auditing with upstream and risk analysis | ASN or IPv4/IPv6 | Structured audit report or JSON object | Yes |
scripts/bgp_hijack_check.py |
Expected origin ASN mismatch detection | Prefix+ASN or baseline file | Signal status table or JSON | Yes |
scripts/rpki_check.py |
Route Origin Authorisation validation | Prefix+ASN or baseline file | Validity status table or JSON | Yes |
scripts/run_report.py |
Batch enrichment workflow for IP lists | File of IPs | Batch report output, optional JSON | Yes |
core/asn_path_finder.py |
Live AS-path and upstream routing analysis via RIPEstat | IPv4/IPv6 target IP | Structured report or JSON object | Yes |
core/sovereignty_audit.py |
EU sovereignty routing audit with detour and RPKI checks | IP, ASN, URL, or piped URL | Verdict report or full JSON audit | Yes |
core/ip_gen.py |
Generate global unicast IP samples, includes malicious test mode | --count with optional --malicious or --json |
Newline IP list or JSON object | Yes |
- Public API rate limits may affect high-volume runs.
- Do not commit real API keys.
- Keep secrets in local config only.
# 1) Run a core check
# 2) Request JSON output
# 3) Pipe into jq for analyst workflowsMIT
Path: tools/ip-lookup-go/
This is the performance-focused implementation for IP enrichment at scale.
- Worker pool architecture (
--workers) for fast batch processing - Strict per-lookup timeout (
--timeout) to avoid hanging requests - Reverse DNS (PTR) + RDAP + Team Cymru fallback
- Consistent output for SOC workflows (table or
--json)
cd tools/ip-lookup-go
./build.shSingle IP:
./ip-lookup --ip 8.8.8.8Batch file:
./ip-lookup --file ips.txt --workers 50 --timeout 2sJSON output:
./ip-lookup --file ips.txt --workers 50 --json- IP
- IP Version
- Hostname (PTR)
- ASN
- BGP Prefix
- Organisation
- Country Code
- Abuse Email
- RIR
- Lookup Source (
RDAP,Cymru,RDAP+Cymru) - Lookup Latency (ms)
- Status